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<?xml version="1.0" ?> 

<AgentProtocol xmins="http://www.nai.com n 
xmlns:xsi="http://www.w3.org/2001/XMLSchema~instance n 
xsi:schemaLocation="http://www.nai.com CustomActionsProtocoI.xsd"> 

- <ControIData> 
<Version>0x0100000K/Version> 
<MinVersion>Ox0100000K/MinVersion> 
<Command>RequestCustomAction</Command> 
<Server>nedlwnts2ke</Server> 

</ControlData> 

- <CustomActions 

ld = "<AGENT_INSTALLED — DIR>\\CustomActionsLibrary\\CustActl.dir i > 

- <Method id= ,, GetRegStringValue n > 
<Parameter id = n Key" type="xs:string" 

inout= n in"><AGENT„INSTALLED_REGKEY></Pararneter> 
<Parameter id="Va!uename" type="xs:string n 

inout="in n >AgentVersion</Parameter> 
<Parameter id="Result" type="xs:string" inout="out" /> 
</Method> 
</CustomActions> 

- < Custom Actions id="{06E0062A-5069-4793-ACED-F80BElBBC4AF}"> 
<Interface id- "{C9E1CC03-8007-412A-8F5D-532C57DF4482} "> 

- <Method id= "ExecuteSilentInstalIation n > 
<Parameter id = M ProductName" type="xs:string" 

inout= ,, in">TestInstallProduct</Parameter> 
1 <Parameter id="ProductVersion" type="xs:decimal" 

jg inout="in">0x01000001</Parameter> 
yj <Parameter id="Location" type="xs:string" 

p inout="in M >c:\InstallImages</Parameter> 
%i <Parameter id="Result" type="xs:string n inout="out" /> 

O </Method> 
</Interface> 

- interface id = n -CC9ElCC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method id="GetSystemDirectory"> 
<Parameter id -"Directory" type-'xsrstring" inout="out" /> 
<Parameter id="ResuIt" type-'xsrdecimal" inout-"out" /> 

</Method> 
</Interface> 
</Custom Actions > 

< Custom Actions id-"{06E0062B-5069-4793-ACED-F80BElBBC4AF}"> 

- <Interface id- "{AG00CC03-8007-412A-8F5D-532C57DF4482> "> 

- <Method id= ,, TriggerEvent"> 
<Parameter id= r, EventID" type="xs:decimal" 

inout-"in">1000</Parameter> 
<Parameter id-'EventDescription" type="xs:decimar 
inout="in">The event %EventID% has been triggered by % 
USERNAME% on computer o/oCOMPUTERNAME%. The % 
FILENAME 0 /*) file is infected with %VIRUSNAME%. This has 
been detected by engineversion °/oENGINEVERSZON°/o 
datversion %DATVERSION%.</Parameter> 
<Parameter id= "COMPUTERNAME" type-'xsrstring" 

inout-"in">sourcecomputer</Parameter> 
<Parameter id = " USE RN AM E" type="xs:string" 

inout= n in">sourceuser</Parameter> 
<Parameter id-'FILENAME" type="xs:string" r^"^ 

inout="in">kernel32.dII</Parameter> ! q 
<Parameter id-"VIRUSNAME" type="xs:string" 
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inout="in">Nimbda</Parameter> 
<Parameter id="ENGINEVERSION" type="xs:decimar 

inout="in">0xO400500K/Parameter> 
<Parameter id = " D AT VE RSIO N " type="xs:decimar 

inout="in">Ox07003009</Parameter> 
<Parameter id = "Result" type="xs:string" inout="out" /> 
</Method> 
</Interface> 
</CustomActlons> 
</AgentProtocol> 
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<?xml version="1.0" ?> 
• <AgentProtocoi xmlns= "http://www.nai.com" 

xmins:xsi="http://www.w3.org/200i/XMLScheIna-^nstance ,, 
xsi:schemaLocation="http://www.nai.com CustomActionsProtocoI.xsd "> 

- <ControlData> 

<Version>0x0100O001</Version> 
<MinVersion>Ox0100000K/MinVerslon> 
<Command>RspondToCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <CustomActions 

id = "<AGENT_INSTALLED_DIR>\\CustomActionsLibrary\\CustActl.dll , > 

- <Method id= "GetRegStringValue^ 

<Parameter id = "Result" type="xs:string" 
inout="out">5.0.1.10</Parameter> 

</Method> 
</CustornActions> 

- <CustomActions id="{06E0062A-5069-4793-ACED-F80BElBBC4AF}"> 

- <Interface id=' '{C9ElCC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method id= ExecuteSilentlnstallation' > 

<Parameter id="Result" type="xs:string" inout="out">Error: Invalid 
Image path specified. </Parameter> 
</Method> 
</Interface> 

- <Interface id= "{C9ElCC03-8007-412A-8F5D-532C57DF4482}"> 

- < Method id= "GetSystemDirectory"> 

<Parameter id= "Directory" type="xs:string" 

inout="out">C:\Winnt\System32</Parameter> 
<Parameter id="Result" type="xs:decimal" 
inout="out">0</Parameter> 
</Method> 
</Interface> 
</Custom Actions > 

- < Custom Actions id= {06E0062B-5069-4793-ACED-F80BE1BBC4AF} "> 

- <Interface id= "{A000CC03-8007-412A-8F5D-532C57DF4482}'> 

- < Method id = "TriggerEvent"> 

<Parameter id= "Result" type="xs:string" inout="out">Event sent to 
testcomputer2</Parameter> 

</Method> 
</Interface> 
</CustomAct ions > 
</AgentProtocol> 
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<?xml version="1.0" ?> 
- <AgentProtocoi xmlns="http://www.naLcotn" 

xmins:xsi="http://www,w3.6rg/2001/XMLSchema--instance" 
xsi:schemaLocation="http://www. nai.com CustomActionsProtocol.xsd 
http://www.nai.com AgentConfiguration.xsd"> 

- <ControiData> 

<Version>0x01000001</Version> 
<MinVersion>0x01000001</MinVersion> 
<Command>RequestCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</ControiData> 

- <CustomActions id= RegistryMapping,dH> 

- <Method !d="WhteConfig"> 

- <RegistryConfiguration 

id = "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee"> 
- <Product id="AIert Manager"> 

<Version>0xO4070000</Version> 
<DispiayName>Alert Manager 4.7</DisplayName> 
- <Language id="0407 M > 
CI <Verslon>0x01000002</Version> 
O - <Event id="l"> 

|B < LONGDESCRIPT> Das ist eine Test-Nachricht von Alert 

® Manager. </LONGDESCRIPT> 

ft <SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

<Severity>5</Severity> 
* <Enabled>K/Enabled> 
L </Event> 
?1 </Language> 
|i{ - <Language id="0409"> 

J1 <Version>0x01000002</Version> 

- < Event id="r> 

|f § . <LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
< Severity > 0</Severity > 
<Enabled>l</Enabied> 
</Event> 

- <Event id="2"> 

<LONGDESCRIPT>Text of event 2.</L0NGD£SCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity > 1 </Severlty > 
</Event> 
</Language> 
</Product> 
</ Reg istryConf Ig uration > 
</Method> 
■- <Method id="ReadConfig ,r > 
<RegistryConfiguration 

j d = " H K E Y_LO C A L_M AC H I N E \ SO FT W A RE \ M c A f e e \ * " /> 
</Method> 
</CustomActions> 

- <CustomActions id= "INIFileMapping.dir> 

- <Method id = "WriteConfig"> 

- <Fi!eConfiguration id="C:\Program Files\Alert \ ^ 
Manager\AMGConfig.ini"> \\<\ 
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< a mg > AMGConf ig </a mg > 

< asf > M P EG Video </asf > 
<wmp>MPEGVideo2</wmp> 

</Extensions> 
</FileConfiguration> 
</Method> 

- <Method id="ReadConfig"> 

<FiieConfiguration id="C:\Program Files\Aiert 
Manager\AMGConfig.ini" /> 
</!Method> 
</CustomActions> 
- <CustomActions id="MAPIMapping.dl!"> 

- <Method id="WriteConfig"> 

- <DAPIConfiguration id= VO=org/OU=TestSite/CN=TestContainer"> 
<BlnaryProperty>0123456789ABCDEF00000</BinaryProperty> 
</DAPIConfiguration> 
</Method> 

- <Method id="ReadConfig n > 

<DAPI Configuration id= VO=org/OU=TestSite/CN=TestContainer" /> 
</Method> 
</CustomActions> 
</AgentProtocol > 
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<?xm( version="1.0" ?> 
<AMGEvents xm!ns="http://www.nai.corn" 
xm]ns:xsj= M http://www,w3.org/2001/xr^LSchema-fnstance 
xsi:schemaLocation="http://www.nai.com AMGEvents.xsd"> 
- <Product id^'Alert Manager"> 

<Version>0x04070000</Verslon> 
<DlsplayName>Alert Manager 4.7</DisplayName> 

- <Language id="0407"> 

<Version>0x010O0002</Version> 

- <Event id="l"> 

<LONGDESCRIPT>Das ist eine Test-Nachricht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Severity > 5 </Severity > 

< Enabled >1</Enabled> 
</Event> 

</Language> 

- <Language id="0409"> 

<Version>0x01000002</Version> 

- <Event id="l"> 

<LOIMGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>0</Severity> 
<Enabled>l</Enab!ed> 
</Event> 

- <Event id="2"> 

<LONGDESCRIPT>Text of event 2.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>l</Severity> 
</Event> 

- <Event id="3"> 

<LONGDESCRIPT>Text of event 3.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SH0RTDESCRIPT> 

< Severity > 1</Severity> 
</Event> 

- <Event id="4"> 

<LONGDESCRIPT>Text of event 4.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>l</Severity> 
</Event> 
</Language> 
</Product> 
</AMGEvents> 
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<?xm! version="1.0" encoding = "UTF-8" ?> 

<!— od.' led with XKL Spy v4.0.1 "J ;ht :.r> ; //www . xnl soy . con) oy Napa Jr. 
(Kapalir.) — > 
- <xs:schema targetNamespace~"http://www. nai.com" 
xmlns="http://www-nai.com n 

xmins:xs="http://www. w3.org/200 i/XMLSchema" 
eiementFormDefault="quaIified"> 

<xs:element name="DispIayName" type="xs:string" /> 
<xs:element name="Enabled" type="xs:booIean" /> 

- <xs:compiexType narne="EventType"> 

- <xs:ali> 

<xs:element ref= "LONGDESCRIPT" /> 
<xs:elernent ref="SHORTDESCRIPT" /> 
<xs:eiernent ref= "Severity" /> 
<xs:element ref="Enabied n minOccurs="0" /> 
</xs:all> 

^ <xs:attnbute name="id" type="xs:string" use="required" /> 

</xs:complexType> 
S - <xs:complexType name= T, LanguageType"> 

- <xs:sequence> 

ff| <xs:element ref="Version" /> 

jg <xs:element name="Event" type="EventType" 

m maxOccurs= "unbounded" /> 

'jj </xs:sequence> 

<xs*. attribute name = "id" type="xs:string" use="required" /> 
p < /xs : co m p I exTy pe > 

id - <xs:eiement name="Product"> 

■q- - <xs:complexType> 

%| - <xs:sequence> 

Q <xs:e!ement ref= "Version" /> 

fll <xs:element ref="DispiayName" /> 

<xs:eiement name="Language" type="LanguageType" 
maxOccurs="unbounded" /> 
</xs:sequence> 

<xs:attribute name = "id" type="xs:string" use="required" /> 
</xs:complexType> 
</xs:element> 

- <xs:element narne="AMGEvents"> 

- <xs:complexType> 
- <xs:sequence> 

<xs:element ref=" Product" maxOccurs="unbounded" /> 
</xs:sequence> 
</xs:complexType> 
</xs:element> 

<xs:efement name= "LONGDESCRIPT" type="xs:string" /> 
<xs:element narne="SHORTDESCRIPT" type="xs:string" /> 
<xs:element name= "Severity" type="xs:string" /> 
<xs:element name="Version" type="xs:string" /> 

</xs:schema> 
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